Weak Password Brings "Happiness" to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.
Sign in with 
OpenID
Weak Password Brings "Happiness" to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.
Recently:
http://code.google.com/p/django-axes/
Perhaps this (or similar) should be an included thing, like CSRF protection and auto-escaping?
Jeremy Dunck - 7th January 2009 13:14 - #
Similarly:
http://www.djangosnippets.org/snippets/1083/
Jeremy Dunck - 7th January 2009 13:28 - #
The flip-side of rate limiting, of course, is that it provides an easy way to DoS the targeted account. I guess there's a trade-off between preventing breaches and preventing griefing.
Another issue here was that admin logins are permitted from internet IPs--allied to which, Twitter staff appear to use their admin-enabled accounts for general-purpose personal use.
But it seems unfair to castigate Twitter for this stuff. They're likely no worse than the average web app, just big enough to attract attackers, an unlucky to get hit three times over a weekend.
phl - 7th January 2009 14:23 - #
Django really should integrate rate limiting among other things to improve security.
phl, excellent use of castigate!
Dave K - 7th January 2009 16:39 - #
did the Twitter Admin change his password to "sadness" after he was hacked? haha... ok not funny
coffee fiend - 10th January 2009 03:44 - #